knowing that bad actors tend to use VPNs; is it possible to block IPs belonging to VPNs. like a Geographic block, except “block known malicious VPN IPs”, or “block all VPN IPs”. I don’t want you touching my network if you are using a VPN provider, right??
I block IP addresses using reputation lists. It’s not perfect but it’s cutting down the number of brute force attempts we get dramatically.
I would recommend using Application Control to block the category Proxy. Additionally create a DNS Filter and Web Filter to block Proxy Avoidance. These policies do require a subscription license to keep up to date.
Look up and see if they’re in the internet services list.
You could also either lookup their whois etc or possibly use a threat feed from an external source.
I can think of a couple of others but havent proved them.
Make an isdb rule at the top of your rule set that blocks known malicious IPs, tor exit nodes, known spam etc. hth
You can block apps of vpn provides.
I use App control to block all proxy, private VPN and P2P applications.
Though I would like to implement what u/moneyfink has implemented as well. I’d like to discuss your setup process if you’d be willing. I’d never thought of doing it this way.
that sounds great, what list do you use? I’ll look up how to implement this.
With FAZ, use an event handler to automate the srcip to a BLOCK group applied to local-in-policy
This plus block newly observed domains. I maintain fw for a high school and we just see the blocks happening all day with the two listed above plus this.
u/NetworkDefenseblog: This is for VPN so its not covered via the policy and SSL-VPN Setting with negate option?
This would be for any inbound/outbound traffic in your policy ruleset, so possibly IPsec(if you have chips you’ll need to match vip in these rules). SSLVPN is handled differently. You could geo block sslVPN easily to start in the SSLVPN settings for allowed IP addresses. Create address objects of the countries you want to allow and have those as the allowed addresses in sslVPN settings.
u/moneyfink: Is there any documentation available of how to create Ms Team Chatbot and create TXT and file on the server. How the FGT will read it?
I dont see any reputation based ISDB.
Ok I found it. its Malicious-Malicious.Server.
Is is possible to use this in SSL VPN negate settings?
People are here asking for help, let’s not make them feel bad for doing so.
u/NetworkDefenseblog: Geo block doesnt work for companies where users are spread around the Global.
You can create address group and then use that in SSL setting.
config firewall addres
edit “Block_SSLVPN”
set subnet 10.47.2.111 255.255.255.255
next
end
# config vpn ssl setting
set source-address “Block_SSLVPN”
set source-address-negate enable
So users are spread around the world and geo block won’t work, yet you suggest doing the same thing but with address blocks which is arguably harder to maintain but offers more granularity.
u/NetworkDefenseblog: I was checking and all the IP’s trying to get into our VPN are part of Malicious-Malicious.Server. The IP location is US and our users are in US. Using Geo Block for US location will block their access as well.
Using ISDB may result in false positive but not for larger scale.
I don’t think you understood my original comment the ISDB.
Sorry about that. May be you can repharse it?
You can use isdb to block known malicious IPs or spam IPs etc. It’s curated by fortinet, could have false positives but more likely not as it’s individual IPs not as many ranges. Thanks